The Future of Information Security

by Martin
Libicki

To illustrate the future of information security, imagine me giving you a piece of
information, to wit, that the interests of your employers, the nation's security, and
world peace would be greatly advanced if you were to, literally, take a long walk off a
short pier. Few of you are likely to do that -- even though I have conveyed a piece of
information to a set of very complex information-processing systems, that is, you, the
reader.

The basic reasons are obvious: I have no authority to make you do anything, the act
suggested is something no sane person would do, and there is little if anything I can say
that will make you insane. In a nutshell one can recognize the three primary methods by
which information systems are protected: authorization, message filtration, and ensuring
the integrity of core processes -- or to put it more in terms of today's tools: good
passwords, firewalls, and virus detectors.

However, imagine me as an internationally recognized expert in information warfare
asserting that the threat of information warfare would be to the 21st century what the
threat of nuclear warfare was to the latter half of the 20th century. To my mind this is
still lunacy, albeit a more subtle one, but it is a proposition which some people would be
more inclined to accept -- indeed, many act as though they do. This piece of information
does not get blocked by the obvious filters. But, it too, is potentially dangerous.

There, in a nutshell is the message. As computers become smarter, more sophisticated, and
more flexible, they will become more like us. That is, they will acquire the reliable
information security provisions that all of us carry around as our basic make-up. Yet, as
they become more like us, they will begin to ingest information at the semantic level from
outside sources as we do (as in fact, you are doing now), and will thus be heir to more
subtle but no less problematic forms of information warfare. Or, to put it simply: today's
problems will pass and tomorrow's will rise -- I just cannot say exactly when either will
occur or how quickly. What I can try to do is lay out some indicators and
warnings of each.

It is important to note that forecasts about information security are inevitably forecasts
about information systems themselves. A large part of what makes information systems open
to attack is that they contain bugs, often and pertinently referred to as undocumented
features. The more experience one has with any one piece of software the more holes can be
closed. Yet, even a perfect fix lasts only until the next innovation hits the system. To
give an example: it used to be one could open up any E-mail without worrying about what it
might do to your system. But, over time, E-mail has come to contain attachments;
attachments often come with activatable macros, and macros, in turn, may carry viruses.
This is a problem that simply did not exist several years ago. In years to come, one might
make similar statements for objects over networks, ActiveX files, and others in that
menagerie. As such, the art of forecasting tomorrow's troubles is intimately related with
the art of forecasting tomorrow's pointless wonders.

Key Trends

Let's start off by looking at some of the key factors that influence the
current level of information security: legacy systems, the threat, consciousness of the
threat, operating systems, security tools, the cost of storage, the Internet, and
cryptographic methods. This examination is offered with the caveat, of course, the current
state is a matter of serious dispute. Not every system fault is the result of a hacker;
but some are. Many such faults go unnoticed. And, a record of what is, is an indicator,
but only an indicator of what could be.

Legacy Systems: In the old days, information systems were relatively secure by
virtue of being hosted on large proprietary machines and connected to very little. What
makes systems vulnerable is the shift to smaller and far more open systems (not built with
security in mind) coupled with the rise of networking. For many of us, small open
networked systems are the here and now; for others, however, they are still in the future.
Sometimes it takes a situation like the Y2K bug to remind us that while the leading edge
of technology races ahead, the lagging tail may be long and thick. As people move away
from closed proprietary systems, they will expose themselves to more security risk,
especially in the process control sectors (e.g., SCADA systems). For this reason, but
perhaps only for this reason, one may see a decline in the average level of
information security over the next few years.

Threat: It is extremely difficult to know what the threat to information systems
actually is, and thus all the harder to know in what direction it is going. In terms of
actual day-to-day threat, information warfare has remained distinctly unimpressive. Most
computer crimes are internal affairs, and most external computer crimes arise, not from
systematic attack, but by small groups, or, more likely, random malevolence and even
curiosity run amok. Is the relatively benign past a predicator of a relatively benign
future? When the United States had one big enemy, no one could cogently argue that the
lack of a nuclear strike yesterday meant that the threat was gone. But today, the United
States faces, not one dragon holding its fire until the right moment, but a profusion of
snakes each with their own agenda and motivations. Thus, the question -- why haven't we
seen something big already -- deserves an answer. That is, if somebody has not done
something already, what makes one sure that anyone can do anything? Conversely, America
was, by contrast to Europe, considered immune to the more conventional sorts of terrorism.
After the World Trade Center bombing took place, that idea vanished.

In a sense, the threat by foreigners to U.S. information systems is a lagging indicator
just as the conversion of legacy systems is. The Russians and the Chinese appear to be
very interested in computer warfare -- at least if their published writings are at all
indicative. This makes sense; if one wishes to hold off the world's superpower, and if
information systems lie at the core of what makes the superpower super, then that's the
place to attack. That said, the Russians and Chinese seem to be more interested in the
possibilities of unleashing destructive viruses then they are in the world of day-to-day
computer intrusion. This bias may exist because they lack many open computer networks upon
which to practice their intrusive arts -- but a virus can be tested on a stand-alone
machine.

Will others grow interested in computer warfare? America is a trendy place and information
warfare is a trendy subject. We, who are drenched in silicon, will spin ourselves up on
this threat well before others catch on -- notably those others who live in lands
unblessed by much computer equipment and who thus lack an intuitive sense for their place
in a modern world. True, all nations, even poor ones, have some hackers; but
without a broad infusion of computer-consciousness within the top leadership, the
resources required to build hacker cadres and the wit required to put this approach on a
list of serious attack options is unlikely. Most enemies of the United States live in
places where systems are rare. That said, the entire world is becoming wired. If
information warfare is a popular meme within the Department of Defense, the awe with which
DOD is held worldwide cannot help but make it a popular meme everywhere else as well.
Hollywood, is of course doing its part; more often than not the cinematic proof that
someone is brilliant is provided by their being able to get into systems that they were
otherwise barred from. Thus the option of information warfare is likely to rise on the
agenda over time. Here too, the averages are affected as much by changes in the lagging
edge as by changes in the leading edge.

Trends in lower-level threats such as crime or terrorism are harder to assess. In general,
criminal enterprise tends to be responsive to opportunity with very little lag and thus a
lurch upwards in the direction of computer crime seems unlikely; at worst, a gradually
rising level can be expected. As for terrorism, the world's disaffected tend not to be the
more computer-sophisticated and are likely to prefer violent means for the time being.
Furthermore there is a great difference between five terrorist groups taking faux
credit for an obvious act of terror (e.g., a car bomb) and the same folks taking credit
for some glitch (e.g., a telephone outage) which may equally well be an act of nature,
human error, design flaw, or the result of hostile activity.

Consciousness: The flip side of trying to gauge the changing threat is trying to
gauge whether people are going to start taking computer security more seriously or not.
The two are, of course, related; the greater the threat, the more likely people will take
security seriousness; no threat, less response.

What other indicators should one look at? One indicator may be how people respond
to the Year 2000 problem. Assume the problem is as serious as people think, that many
systems owners respond late, poorly, or not at all, that consequent damage results, and
that lawsuits start to fly. What kind of echoes will this cause? Will systems owners be
held liable for damages to third-parties due to software negligence? What standard for due
diligence will result? Will users learn to be wary of anything a computer produces (thus
reinforcing the need to keep wetware in the loop)? And, of course, will people take the
same view of a system owner's inability to keep intruders out as they might for their
fecklessness in dealing with the inevitable transition from the year 1999 to the year
2000? Wild cards may make a difference. Say a major earthquake hits California leading to
the failure of institutions that have failed to back up their data several hundred miles
away. Will people pay more attention to redundancy and back-ups as a result? Indeed, any
publicized systems failure is likely to heighten people's awareness of unnatural risks as
well.

Operating Systems: Most of the more serious weaknesses in computer systems lie
with the operating system itself. It may be unfair but indicative that Unix assumed its
current features at the University of California in the late 1970s, a time in its academic
history that may be described by many adjectives, of which "security" is
probably not one. In part because of its academic legacy people have been working on Unix
security, in many ways, harder than they do for any other operating system. Over time,
therefore, absent major changes, one might expect Unix to get more secure.

Indeed, one might have imagined that Windows NT, which is based on Digital's VMS (a
fairly secure system to begin with), plus another twenty years to reflect on information
warfare, would be highly secure. Strangely enough, current versions are less
secure than Unix and have bugs all their own. The computer industry seems, lately, to put
more value on slick features than steady performance. At some point, economies of scale
must set in, the nth added feature will not be terribly exciting, and computer
makers will settle down to engineering greater reliability into what they sell. But don't
ask me when.

In the meantime, the Web has become the focus of the computer industry's developments.
In some cases, especially electronic commerce, people are paying serious attention to
security. But the glitzy end of the Web business -- Java, ActiveX (which is worse),
automatic software updates, and the various plug-ins -- are all carriers of great mischief
from the unscrupulous.

Security Tools: Current trends in information security treat it is a problem
that can be solved by adding a patch here and there. Firewalls go on the outside of one's
system and are meant to filter out certain types of messages by looking at each packet and
making a determination based on their ostensible purpose (which can often be revealed by
their port number). Intrusion detectors look for particular activities which are
characteristic of known fault patterns and then take appropriate action (e.g., alert
administrators, withdraw user privileges, note what systems or numbers the intruder is
coming in from). Neither firewalls nor intrusion detectors are altogether reliable today,
but they are getting better against a given level of threat. It is unclear whether they
might go too far and make it possible for foes to instigate an anaphylactic attack, one
which, using the immune system metaphor, works by overstimulating and thus setting a
system's internal defensive mechanisms against itself.

The Cost of Storage: As the price of computer storage falls, the feasibility
of archiving everything rises to the point where no one has a credible excuse for losing
information (although finding archived information after the crash will take work). To
give an example, the 17-gigabyte DVD (digital versatile disk) of the year 2000 has enough
capacity to store the complete billing records of a week's worth of long-distance calls
made in the United States. In sensitive environments, very fast CD-ROMs (or any other
non-volatile memory) may replace writable hard disks for storing operating systems --
thereby giving viruses nowhere to rest. CD-ROMs operating with zero buffer can also log
everything that happens to a computer without some hacker going back and writing over the
record.

The Internet: The evolution of the Internet, itself, will shape the near-term
information security environment. The next version of the Internet Protocol, IPv6, has
provisions for many security features such as encryption, key passing, and digital
signatures. Eventually IPv6 will be universal, but deployment remains slow; the greatest
penetration is occurring within specific circles of universities and other leading edge
sites.

Several features of the Internet make it particularly attractive for hackers. What
should only be a near-term problem is that the Domain Naming Service, which translates
names (e.g., www.ndu.edu) into byte-addresses is poorly protected and has little
authentication capacity. Chances are the former will be fixed, and, it may also be
possible to authenticate the true source of any message coming into one's system in most
cases.

A more permanent feature of the Internet is that it lacks a packet-level billing
system. This makes broad flooding attacks possible and makes more focussed attacks very
hard to trace back to their source. However, unless the free-packet structure of the
Internet proves to be its undoing, the prospects for packet-level billing are modest.

Cryptographic Methods: Cryptographic methods remain the most obvious tool for
information security. As hardware gets faster, the processing load for encryption and
authenticating messages can be expected to decline. This is obviously true if the key
length stays the same, and almost as certain if measured as the time it takes to encrypt a
message which takes a fixed X hours decrypt (as supercomputers get better, the
required key length rises). Thus, everything else being equal, cryptographic methods will
see greater use, and information security will rise.

Needless to say, everything else is not equal in this field, and there are important
policy and technology questions that must be factored in. The first policy question, of
course, is when -- not whether, but when -- the U.S. federal government will give up
trying to control encryption. One must admire the control effort both for its doggedness
and cleverness, but in the end, it can only delay the inevitability of technology. One may
debate the merits of key escrow forever, but there is no denying that industry does not
find the federal government helpful, and, indeed, is preparing to spend several million
dollars saying as much in the public media. In the meantime, however, federal policy is
confusing the market for encryption (perhaps deliberately so) and thus delaying its use as
a way to defend information infrastructures.

The confusion in cryptography is not doing any favors for the digital signature market.
The federal government built a digital signature standard around a technology, that has a
non-trivial side-benefit; it cannot be reverse engineered into a public key encryption
system. The market seems to prefer RSA's private standard. Compared to encryption, the
level of federal resistance to digital signatures is far less and parts of the federal
government are, in fact, working hard to encourage its use. The immediate requirement,
particularly for electronic commerce, is greater, and thus digital signatures are likely
to proliferate. A real spur to its use may come if and when people exploit digital
signatures as a apply-once use-forever stamp to documents. For instance, college graduates
may get a signed and dated bitstream of their grades that they could give to anyone;
recipients could verify its authenticity by computer.

Technology remains the wild-card behind any forecasts of encryption's use. Innovations
such as elliptical methods or cryptographic analysis will affect the time required to
generate or break codes. Yet, very little in the last fifteen years has broken the
fundamental fact that increases in key length have a modest affect on the cost of making
codes and a major affect on the cost of breaking them. The one joker in the deck is the
prospect of quantum computing which can break the back of the prime factoring problem
thereby rendering both public key encryption and digital signatures obsolete. But no one
knows whether quantum computers will work.

Summary: Overall, near-term prospects favor greater information security.
True, closed systems are continuing to open up and the number of opportunities for waging
computer warfare continues to rise. Yet, protection tools are becoming better, the
Internet is likely to become more secure, the costs of backup and redundancy are likely to
fall sharply, and cryptographic methods are likely to spread.

Potential Bends

At this point, I want to explore the second half of the future: the prospect that while
the long-term information security environment is likely to become better in obvious ways,
it is likely to worsen in subtle ways. The key to understanding this phenomenon lies with
how tomorrow's information systems are going to be used.

As noted earlier, the increasing power of hardware and the growing sophistication of
software suggests a future in which silicon starts to act more like carbon: that is,
computers take on more characteristics of humans while networks take on more
characteristics of human organizations.

Tomorrow's information systems are likely to make, or at least set the table for, more
judgements than today's do. What is more, the feedstock for these judgements are likely to
be information harvested from the world out there. Such applications are likely to appear
among institutions that depend on reacting to an outside environment: e.g.,
politico-military intelligence, business sales-and-marketing, environmental control, or
broad-scale social service functions such as law enforcement, traffic regulation, or
public health. Institutions that do not react with the outside directly but may learn from
external experience may develop some links with the outside world. Process control
applications may never have these links, at least not directly. Yet, even process control
applications may not be immune to influence. For instance, a toy company may have its
agents cruise the Web in search of data to help them predict the hot trend for next
Christmas. The results of its search will change what it makes, thus its production mix,
and thus how it schedules and supplies its production lines -- a classic process control
application.

Today, computers process information using tight algorithmic logic from a carefully
controlled set of inputs -- the way they are supposed to. Tomorrow, computers may use
techniques of logic processing, or neural network technologies to sift through a trusted
set of material and bring things up to human attention. The day after, so to speak,
computers may reach and present conclusions based on material of widely varying
reliability. Thus a military intelligence system may evaluate the relative security of a
village through a combination of authenticated overhead imagery, an analysis of
potentially spoofable telephone switch activity and overnight police reports, and the
collective detritus of written gossip from electronic community bulletin boards. A traffic
controller may set stop-lights based on monitored traffic flows, plus a forecast of the
kind of traffic loads selected large events may generate based on what their organizers
predict. A drug company may put out usage advisories to doctors based on combing through
data-bases on hospital treatments and outcomes. Individuals may plan their evenings out
based on the suggestions of their agents trolling web sites that list entertainment
offerings cross-correlated by less formally established "what's-hot" lists.

Needless to add, there will be people who find it worthwhile to corrupt such systems. They
may not all be criminals; indeed, many of them would classify themselves as basically
honest gamesmen eager to put the best face on the world's data-stream in order to
influence the judgements of Web users. Some Web sites are crafted so that their URL
appears at the top of search lists generated by automatic tools (e.g., Altavista). It
would not be surprising to see the less scrupulous engage in many of the same fraudulent
techniques of misrepresentation and lying that today's con artists do. Indeed, for a long
time to come, computers will be easier to con than people will. Thus, a flow of false
information on patient histories that reflect the efficacy of a licensed drug may subtly
shift a system's recommendations to another one (bad reports of which are buried). A
series of reports on the flow of loans to an otherwise suspect lender may convince rating
agencies to boost its reputation and permit it to garner loans that it otherwise would not
deserve (and has no intention of paying back).

Once you have this picture of the future, it does not take much imagination to forecast
what else may go wrong. So here goes:

Learning Systems and Neural Net Computing: For the most part, one can determine
why a system does what it does by examining its source code to learn what and querying
coders to learn why. Tomorrow, that process may not be so easy. Computers may learn from
experience. If they use traditional AI, they will build and refine a data base of rules
that will govern the logic by which they draw conclusions. If they use neural nets, they
will steadily tune their association matrices by using real-world test sets and backward
propagation.

All this is well and good -- until something goes wrong. If the experience base upon which
learning systems or neural nets have been corrupted then their conclusions will be
similarly corrupted. Fixing them will be costly. Corruption must be detected, and that may
be possible only by observing poor decisions. What if the corrupter alters the input so
that the system makes a bad decision only when it encounters a very specific input set?
Unless one knows the input set, corruption may be completely masked. Even if the nature of
the corruption is determined, when the system was corrupted has to be estimated.
Then the system can be reset to its last known uncorrupted state, if one has
archived such parameters. Otherwise, the system has to be returned to its original
settings, which means losing all the learning that has taken place since it was turned on.

Software Agents: One of the ways integrated open systems work is by letting
clients place software agents on servers. These software agents, in effect, query servers,
in some cases periodically. Sometimes results go back to the client. In other cases, one
agent or a part of an agent may be sent forward to other sites. For instance, a travel
agent, so to speak, interested in putting together a
meals-lodging-entertainment-and-transportation package may be split into four sub-agents
(each of whom then go out looking for the best deals in their area, return candidates, so
that the master agent can fit them together).

In theory anything an agent can do may be done by successive queries, but the use of
agents saves on message traffic (especially for "tell-me-when" requests) and
permits in-server consolidation. Badly designed agents, whether by not-so-benign neglect
or malign intent, may cause some servers to cycle forever for an answer, set up a mutually
destructive server-to-server harmonic, or may replicate without bounds and clog entire
networks. Malevolent agents may look for certain outgoing mail, and then work their way
into systems from which it originated. If mischievous enough, such agents could have a
chilling effect on free network speech. Indeed, network administrators are already
beginning to understand that bringing a network to its knees does not take many automatic
E-mail responders (All it takes is one message sent to at least three individuals on
vacation that echo an "I am on vacation" message to everyone on the original
mailing list).

Hijacked agents or agents forwarded to successively less trustworthy servers ("a
friend of a friend of a friend ...") may relay misleading or dangerous information
back. In a sufficiently rich network, replicating agents may be carriers of replicating
viruses whose eradication may be fiendishly difficult if there are niches in the network
ecosystem that cannot be identified or do not cooperate.

Ecologies: The reference to ecosystems was deliberate. Systems, beyond some point
of complexity, and many seemed to have reached that point, become extremely difficult to
control in the sense that one can predict the performance of the whole by understanding
the performance of each part. Even perfect understanding of components cannot predict all
fault modes in a succinct way. Although today's hacking requires active intruders, much of
the risk and tedium associated with malicious hacking can be transferred to bots -- pieces
of code that wander the Net looking for a computer to roost in. A single hacker unleashing
a flood of junk to clog a system can be traced and stopped; perhaps even caught. Similar
effects, however, may be generated by implanting a virus in thousands of systems. Turning
on one or two (e.g., including a key word in otherwise innocent text) can simulate a chain
letter on steroids, as each infected system turns on another, with thousands of sites
flooding the system, well before their owners know what is going on.

Mother Nature has long ago given up trying to govern complex systems by imposing behaviors
on each component. Instead, ecologies carry on from one year to the next through a mix of
competition, diverse niches, predator-prey relationships, and, above all, a facility for
adaptation and evolution. Tomorrow's networks may need some way to maintain homeostasis by
populating themselves with analogous instruments. Needless to add, of course, no one will
get the proper combination and distribution of instruments right the first time. It is not
much of a leap to see how such instruments may be used by evildoers to bring systems down
to the silicon version of extinction, at least temporarily.

A New Approach: All this suggests a completely different approach to information
security. Consider how complex humans are compared to computers and how they, like
computers, network themselves in order to exchange knowledge. Yet, for the most part, it
is difficult for humans to pass disabling bitstreams among each other. Few word
combinations can cause a rational person to seize up, spin cycles endlessly, or flood
friends and acquaintances with pointless communications. Why? As noted earlier, humans
accept inputs at the semantic rather than syntactic level; messages are converted into
specific meanings and then processed as such. Information and commands are screened for
harmful nonsense.

Yet, as any observer of human affairs can attest, cognition does not prevent certain
messages from achieving widespread and deleterious affects. Ideas grip the imagination and
spread. Some induce "extraordinarily popular delusions and the madness of
crowds" (indeed, "information warfare" is, itself, such a meme). This is
where education, notably classical education, comes in. People are trained to externalize
and objectivize information and view it as something separate from the self; to examine
information critically and thereby avoid the twin hazards of excessive naivety or total
cynicism. Rhetoric deals with the proper inference of intentions from statements. Logic
deals with generating correct implication therefrom. Language is taught as a precision
tool so that information could be passed and understood with clarity. Etiquette governs
what people say (and how intrusively) and inculcates propriety so that people keep private
information private. Thus can humans interact with others, even strangers, to form
functioning organizations and other relationships.

Building such sophistication into silicon will not be easy, both technically and socially.
To exchange information requires conformance to shared norms at several levels: of
meaning, of intention, of context, and of behavior (e.g., what constitutes a legitimate
piece of information). Without shared norms -- standards as it were -- there is no meaning
but only programmed reactions. As long as that is true, it will be difficult to defend
information systems from a potentially polluted environment except through mechanisms
antithetical to the way we would like to see ourselves be. That is, we will have erected
castles, moats, gates, and sympathetic brigands to defend ourselves against cyber
highwaymen.

Computers cannot be made consistently more powerful and remain safe if they are not
endowed with the power not only to input and output bytes but understand them. But, having
taught them to listen and speak we must simultaneously teach them proper manners.

Recapitulation: The moral to the story will be, if not familiar, then at least
recognizable.

The old model of information security is hard and closed: users, processes, and code are
either licit or illicit. There is no grey area. The trick is to differentiate between the
two, give the former just enough liberty to do their job, and close the system off to the
rest. This model is not entirely bad; indeed, one ought not to run a military C2 net,
nuclear power plant, air traffic control system, telephone switch, or funds transfer
system any other way.

The new model of information security is open and fuzzy. It is necessarily that way
because the systems that we want to both exploit and protect must be open to the outside
world and learn from it. One therefore needs a security model that recognizes that fact
and makes continual judgements over the validity and reliability of information it
ingests. All of this presumes, of course, that the core functions are lock-tight, and
that, in turn, requires that the architecture of what must be protected is both simple and
transparent. Ironically, that is key to letting systems deal with ambient complexity and
opacity. The first challenge ought to be simple; regretfully we have made it complicated,
but, one hopes, not too complicated, thereby leaving us with the really fun complex
security problems of the future.